============================================================ Android Malware Analysis ============================================================ Analyze suspicious Android APK files using static and dynamic techniques available in REMnux. ──────────────────────────────────────────────────────────── Step 1: APK Triage Tools: file, apkid Verify file type and check for packers/obfuscators. APKiD detects: known packers (DexGuard, Bangcle), obfuscators, anti-debug techniques. $ file specimen.exe Step 2: Manifest Analysis Tools: apktool Decompile APK: apktool d -o output/. Examine AndroidManifest.xml for: excessive permissions, receivers, services, exported components, intent filters. $ apktool d -o output/ Step 3: Source Code Recovery Tools: jadx Decompile DEX to Java: jadx -d output/. Review source code for: C2 URLs, crypto operations, SMS interception, data exfiltration, root checks. $ jadx -d output/ Step 4: Static Analysis Tools: androguard, droidlysis androguard: analyze APK structure, permissions, activities. droidlysis: automated static analysis with IOC extraction. Check for: hardcoded keys, URLs, suspicious API usage. $ androguard analyze Step 5: Native Library Analysis Tools: strings, radare2 If APK contains .so libraries: extract from lib/ directory. Analyze with strings and radare2. Native code often hides C2 logic and crypto. $ strings binary.exe $ r2 specimen.exe Step 6: Dynamic Instrumentation Tools: frida Hook suspicious functions at runtime: frida -U -l hook.js . Intercept: crypto operations, network calls, file access, SMS operations. $ frida -l hook.js Step 7: Document Findings Record: package name, permissions abused, C2 infrastructure, data exfiltrated, persistence mechanism, targeted user data (SMS, contacts, location). ──────────────────────────────────────────────────────────── Tip: 'fhelp cheat ' for full examples 'Ctrl+G' for interactive cheatsheet browser